Health Registration Authority (HRA) is a component of a Network Access Protection (NAP)

infrastructure that plays a central role in NAP Internet Protocol security (IPsec)

enforcement.

HRA obtains health certificates on behalf of NAP clients when they are compliant with

network health requirements. These health certificates authenticate NAP clients for IPsec-protected communications with other NAP clients on an intranet. If a NAP client does not

have a health certificate, the IPsec peer authentication fails and the NAP client cannot

initiate communication with other IPsec-protected computers on the network.

HRA is installed on a computer that is also running Network Policy Server (NPS) and

Internet

Information Services (IIS). If they are not already installed, these services will be added when you install HRA.

Reference: Health Registration Authority

Q36. HOTSPOT - (Topic 4)

On Server2, you create a Run As Account named Account1. Account1 is associated to an Active Directory account named VMMIPAM.

You need to implement an IPAM solution.

What should you do? To answer, select the appropriate configuration for each server in the answer area.

Answer:

Q37. - (Topic 8)

Your company has a main office, ten regional datacenters and 100 branch offices. You are designing the site topology for an Active Directory forest named contoso.com. The forest will contain the following servers:

* In each regional datacenter and in the main office, a domain controller that runs Windows

Server 2012

* In each branch office, a file server that runs Windows Server 2012

You have a shared folder that is accessed by using the path \\contoso.com\shares\software. The folder will be replicated to a local file server in each branch office by using Distributed File System (DFS) replication.

You need to recommend an Active Directory site design to meet the following requirements:

* Ensure that users in the branch offices will be authenticated by a domain controller in the closest regional datacenter.

* Ensure that users automatically connect to the closest file server when they access \\contoso.com\shares\software.

How many Active Directory sites should you recommend?

A. 1

B. 10

C. 11

D. 111

Answer: D

Most recent 70-413 dumps:

Q38. - (Topic 3)

You need to recommend changes to the Active Directory environment to support the virtualization requirements.

What should you include in the recommendation?

A. Raise the functional level of the domain and the forest.

B. Upgrade the domain controller that has the domain naming master role to Windows Server 2012.

C. Implement Administrator Role Separation.

D. Upgrade the domain controllers that have the PDC emulator master role to Windows Server 2012.

Answer: D

Explanation: From case study:

* Ensure that the additional domain controllers for the branch offices can be deployed by using domain controller cloning.

Q39. - (Topic 6)

You need To configure the Group Policy for salespeople.

Solution: You move all shared desktops to a separate organizational unit (OU). You create one Group Policy object (GPO) that has an AppLocker policy rule and enable loopback policy processing within the GPO. You link the GPO to the new OU.

The network security policy states that when client computers connect to the corporate

network from the Internet, all of the traffic destined for the Internet must be routed through

the corporate network.

You need to recommend a solution for the planned DirectAccess deployment that meets

the security policy requirement.

Solution: You enable split tunneling.

Does this meet the goal?

A. Yes

B. No

Answer: A

Explanation: DirectAccess by default enables split tunneling. All traffic destined to the corpnet is sent over the DA IPsec tunnels, and all traffic destined for the Internet is sent directly to the Internet over the local interface. This prevents DA clients from bringing the corporate Internet connection to its knees.

is DA split tunneling really a problem? The answer is no.

Why? Because the risks that exist with VPNs, where the machine can act as a router between the Internet and the corporate network is not valid with DirectAccess. IPsec rules on the UAG server require that traffic be from an authenticated source, and all traffic between the DA client and server is protected with IPsec.

Thus, in the scenario where the DA client might be configured as a router, the source of the traffic isn’t going to be the DA client, and authentication will fail – hence preventing the type of routing that VPN admins are concerned about.

Reference: Why Split Tunneling is Not a Security Issue with DirectAccess

Q41. DRAG DROP - (Topic 8)

Your network contains an Active Directory domain named contoso.com. The domain contains five servers. The servers are configured as shown in the following table.

You plan to implement Network Access Protection (NAP) with IPSec enforcement on all client computers.

You need to identify on which servers you must perform the configurations for the NAP deployment.

Which servers should you identify? To answer, drag the appropriate servers to the correct actions. Each server may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.)

Answer:

Q42. - (Topic 8)

A company has a line-of-business application named Appl that runs on an internal IIS server. Ap1l uses a SQL Server 2008 database that is hosted on the same server. You move the database to a dedicated SQL Server named SQL1. Users report that they can no longer access the application by using their domain credentials. You need to ensure that users can access Appl.

Solution: You configure App1 and SQL1 to use NTLM authentication. Then you restart the IIS and SQL Server services.

Does this meet the goal?

A. Yes

B. No

Answer: B

Certified 70-413 simulations:

Q43. - (Topic 1)

You need to recommend which changes must be implemented to the network before you can deploy the new web application.

What should you include in the recommendation?

A. Change the forest functional level to Windows Server 2008 R2.

B. Upgrade the DNS servers to Windows Server 2012.

C. Change the functional level of both the domains to Windows Server 2008 R2.

Explanation: * UnRegister-DnsServerDirectoryPartition The UnRegister-DnsServerDirectoryPartition cmdlet deregisters a Domain Name System (DNS) server from a specified DNS application directory partition. After you deregister a DNS server from a DNS application directory partition, the DNS server removes itself the from the replication scope of the partition.

* Add-DnsServerForwarder The Add-DnsServerForwarder cmdlet adds one or more forwarders to a DNS server's forwarders list. If you prefer one of the forwarders, put that forwarder first in the series of forwarder IP addresses. After you first use this cmdlet to add forwarders to a DNS server, this cmdlet adds forwarders to the end of the forwarders list.

Q45. - (Topic 2)

You need to recommend a solution for the RODC.

Which attribute should you include in the recommendation?

A. systemFlags

B. searchFlags

C. policy-Replication-Flags

D. flags

Answer: B

Explanation: * Scenario: Deploy a read-only domain controller (RODC) to the London office

* The read-only domain controller (RODC) filtered attribute set (FAS) is a set of attributes of the Active Directory schema that is not replicated to an RODC. If you have data that you do not want to be replicated to an RODC in case it is stolen, you can add these attributes to the RODC FAS. If you add the attributes to the RODC FAS before you deploy the first RODC, the attributes are never replicated to any RODC.

/ To decide which attributes to add to the RODC FAS, review any schema extensions that have been performed in your environment and determine whether they contain credential-like data or not. In other words, you can exclude from consideration any attributes that are part of the base schema, and review all other attributes. Base schema attributes have the.systemFlags.attribute value 16 (0x10) set.

Reference: Customize the RODC Filtered Attribute Set

Q46. - (Topic 8)

You manage a server infrastructure for a software development company. There are 30 physical servers distributed across 4 subnets, and one Microsoft Hyper-V cluster that can run up to 100 virtual machines (VMs). You configure the servers to receive the IP address from a DHCP server named SERVER1 that runs Microsoft Windows Server 2012 R2. You assign a 30-day duration to all DHCP leases.

Developers create VMs in the environment to test new software. They may create VMs several times each week.

Developers report that some new VMs cannot acquire IP address. You observe that the DHCP scope is full and delete non-existent devices manually. All physical servers must keep their current DHCP lease configuration.

You need to ensure that the DHCP lease duration for VMs is 8 hours.

What should you configure?

A. 4 server-level Allow filters

B. 1 server-level DHCP policy

C. 1 scope-level DHCP policy

D. 4 scope-level exclusion ranges

Answer: B

Q47. - (Topic 8)

A company has offices in multiple geographic locations. The sites have high-latency, low-bandwidth connections. You need to implement a multisite Windows Deployment Services (WDS) topology for deploying standard client device images to all sites.

Solution: At each site, you install a WDS Server. You apply the same configuration settings to each WDS Server. You configure Distributed File Server Replication (DFSR) to synchronize install images.

Does this meet the goal?

A. Yes

B. No

Answer: A

Q48. - (Topic 8)

You deploy an Active Directory domain named contoso.com to the network. The domain is configured as an Active Directory-integrated zone. All domain controllers run Windows Server

2012 and are DNS servers.

You plan to deploy a child domain named operations.contoso.com.

You need to recommend changes to the DNS infrastructure to ensure that users in the operations department can access the servers in the contoso.com domain.

What should you include in the recommendation?

A. A zone delegation for _msdcs.contoso.com

B. Changes to the replication scope of contoso.com

C. Changes to the replication scope of _msdcs.contoso.com

D. Changes to the replication scope of operations.contoso.com

Answer: B

Explanation:

Manually Create a Delegation for the Child Domain on the Parent (Root) DNS Server

1. Right-click the root zone, click New Delegation, and then click Next.

2. Type the domain name for the child domain, and then click Next.

3. Add the child DNS server to host the new zone, and then click Next. NOTE: A domain controller that is a DNS server should have a static Transport Control Protocol/Internet Protocol (TCP/IP) address. Verify that this step is performed before you install DNS on the child domain controller. If no DNS TCP/IP address exists, DNS is installed as a root server. If you see that a "." folder is created after you install DNS, you must remove the root configuration. For additional information about how to do this, click the article number below to view the article in the Microsoft Knowledge Base: 229840 DNS Server's Root Hints and Forwarder Pages Are Unavailable